ADC

Use case for limiting the number of sessions

In this use case, the requirement is to limit the number of active back-end sessions. In the deployment, each session login has login in the URL and each session logout has logout in the URL. On successful login, the back-end sets a session id cookie with a unique ten character value.

To achieve this use case, perform the following operations:

  1. Create a map variable that can store each active session. The key of the map is the session id. The expiry time for the variable is set to 600 seconds (10 minutes).

    > add ns variable session_map -type map(text(10),ulong,100) -expires 600
    <!--NeedCopy-->
    
  2. Create the following assignments for the map variable:

    • Create an entry for the session id and set that value to 1 (this value is not used).

       > add ns assignment add_session -variable '$session_map[http.req.cookie.value("sessionid")]' -set 1
       <!--NeedCopy-->
      
    • Deallocate the entry for a session ID, which implicitly decrements the value count for session_map.

       > add ns assignment delete_session -variable '$session_map[http.req.cookie.value("sessionid")]' -clear
       <!--NeedCopy-->
      
  3. Create responder policies for the following:

    • To check if a map entry exists for that session id in the HTTP request. The add_session assignment is run if the map entry does not exist.

       > add responder policy add_session_pol 'http.req.url.contains("example") || $session_map.valueExists(http.req.cookie.value("abc"))' add_session
       <!--NeedCopy-->
      

      Note: The valueExists() function in the add_session_pol policy counts as a reference to the session’s map entry, so each request resets the expiration timeout for its session. If no requests for a session are received after 10 minutes, the session’s entry will be deallocated.

    • To check when the session is logged out. The delete_session assignment is run.

       add responder policy delete_session_pol "http.req.url.contains(\"Logout\")" delete_session
       <!--NeedCopy-->
      
    • To check for login requests and if the number of active sessions exceed 100. If these conditions are satisfied, to limit the number of sessions, the user is redirected to a page that indicates that the server is busy.

       add responder action redirect_too_busy redirect "\"/too_busy.html\""
       add responder policy check_login_pol "http.req.url.contains(\"example\") && $session_map.valueCount > 100" redirect_too_busy
       <!--NeedCopy-->
      
  4. Bind the responder policies globally.

    bind responder global add_session_pol 30 next
    bind responder global delete_session_pol 10
    bind responder global check_login_pol 20
    <!--NeedCopy-->
    
Use case for limiting the number of sessions

In this article